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In a series of recent work, we have introduced a general framework for quantitative reasoning in 
specification theories. The contribution of this paper is to show how this framework can be applied 
to yield a robust specification theory for timed specifications. 

1 Introduction 

Specification theories allow to reason about behaviors of systems at the abstract level, which is needed in 
various application such as abstraction-based model checking for programming languages, or composi- 
tional reasoning. Depending on the application for which they are used, such specification theories may 
come together with (1) a satisfaction relation that allows to decide whether an implementation is a model 
of the specification, (2) a notion of refinement for determining the relationship between specifications 
and their set of implementations, (3) a structural composition which at the abstract level mimics the be- 
havioral composition of systems, (4) a quotient that allows to synthesize specifications from refinements, 
and (5) a logical composition that allows to compute intersections of sets of implementations, cf. flU. 

Prominent among existing specification theories, outside logics, is the one of modal transition sys- 
tems ll6l [T4TfT6l[T9ll22ll23l which are labeled transition systems equipped with two types of transitions: 
must transitions that are mandatory for any implementation, and may transitions which are optional for 
an implementation. So far, existing modal specification theories have relied on Boolean versions of both 
the refinement and the satisfaction relation. They are hence fragile in the sense that they are unable 
to quantify the impact of small variations of the behavior of the environment in which a component is 
working. In a series of recent work ||3]-|3, and building on a general theory of quantitative analysis of 
systems B101llll[r31l201l26l . we have leveraged this problem by extending modal specifications from the 
Boolean to the quantitative world and introducing truly quantitative versions of the operators mentioned 
above. 

The contribution of this paper is to show how our general quantitative framework from [4] can be 
used to define a notion of robustness for timed modal specifications, or model event-clock specifications 
(MECS) Q. We first observe that the notion of refinement proposed in [7] is not adequate to reason on 
MECS in a robust manner. We then propose a new version of refinement that can capture quantitative 
phenomena in a realistic manner, and proceed to exhibit the properties of the above specification-theory 
operators with respect to this quantitative refinement. We show that structural composition and quotient 
have properties which are useful generalizations of their standard Boolean properties, hence they can be 
employed for robust reasoning on MECS without problem. Conjunction, on the other hand, is generally 
not robust (similarly to the problems exposed in 0), but together with the new operator of quantitative 
widening can be used in a robust manner. 



S. Bauer, J.-B. Raclet (Eds.): 4th International Workshop 
on Foundations of Interface Technologies (FIT 2012) 
EPTCS 87, 2012, pp. 54T6] doi ll0.4204/EPTCS. 87.21 



© U. Fahrenberg and A. Legay 

This work is licensed under the Creative Commons 

Attribution-Share Alike License. 



6 



A Robust Specification Theory for Modal Event-Clock Automata 



2 Quantitative Specification Theories 

General quantitative specification theories have been introduced in Q. These consist of 

• a specification formalism: modal transition systems with labels drawn from a set Spec, 

• a distance on traces of labels: dj : Spec x Spec — > IR>o, and 

• operations on specifications which allow high-level reasoning and which generally are continuous 
with respect to the natural distance on specifications induced by the trace distance. 

Below we give a more detailed account of these things, in order to be able to apply them to modal 
event-clock specifications later. 

2.1 Structured Modal Transition Systems 

We assume that the set Spec of labels comes with a partial order C Spec modeling refinement of data: if 
k Espec then k is more refined (leaves fewer choices) than I. The set Imp = {k G Spec | k' Espec k 
k' = k} is called the set of implementation labels; these are the data which cannot be refined further. 

We let [jfc] = {k! 6 Imp | k' C k} denote the set of implementation refinements of a label k, and we 
assume that Spec is well-formed in the sense that \k\ ^ for all k G Spec: any specification label can be 
implemented. 

A structured modal transition system (SMTS) is a tuple (S,so, — ->s, — >s) consisting of a set S of 
states, an initial state sq G S, and must and may transitions — >$, — CSx Spec x 5 for which it holds 

that for all s — s' there is s --- >s s' with k Qspec t. This last condition is one of consistency: everything 
which is required, is also allowed. 

An SMTS (S,so,--+Si — Ks) is an implementation if — >$ = —+s Q S x Imp x S, i.e. an ordinary 
labeled transition system with labels in Imp. Hence in an implementation, all optional behavior has been 
resolved, and all data has been refined to implementation labels. 

A modal refinement of SMTS 5, T is a relation R C S xT such that for any (s,t) G R, 

k i 

• whenever s — +5 s', then also t -—> T t' for some k Es pe c & an d (s',t') € R, 

• whenever t — t' , then also s —^-5 s' for some k Espec ^ an d (s',t') G R. 

Thus any behavior which is permitted in S is also permitted in T, and any behavior required in T is also 
required in S. We write S < m T if there is a modal refinement RQS xT with (so,to) G R, and S = m T if 
there is a two-sided refinement S < m T and T < m S. 

The implementation semantics of a SMTS S is the set [5] = {/ < m S \ I is an implementation}, and 
we write S < t T if [5] C [r], saying that S thoroughly refines 7\ 

2.2 Distances 

The above setting is purely qualitative, i.e. Boolean: a refinement S < m T either holds, or it does not; a 
transition system / either is an implementation of a specification S, or it is not. In order to turn this setting 
into a quantitative one, where we can reason about robustness of refinements and implementations, we 
need to introduce distances. 

We have in [11'] developed a general framework which allows to reason about a variety of such system 
distances in a uniform way. To apply this to specifications, let Spec 00 = Spec* U Spec ffl denote the set of 
finite and infinite traces over Spec, and let dj : Spec 00 x Spec 00 — > R>o U {°°} be an extended hemimetric. 
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Recall that this means that dj{o, a) = for all a G Spec 00 , and that dj{o\ , 02) + <ir(C'2, 03) > c?r(c»i, 03) 
for all ai, 02, 03 G Spec 00 . Note that as Spec C Spec 00 , <fj- induces a hemimetric on Spec. 

Let M be an arbitrary set and IL = (R>o U {°°}) M the set of functions from M to the extended non- 
negative real line. Then L is a complete lattice with partial order C L given by a Ql /3 if and only if 
«(jc) < j8(jc) for all x G M, and with an addition ffi^ given by (a ©x, j3)(jt) = a(x) + j3(x). The bottom 
element of L is also the zero of and given by _L]l (x) = 0, and the top element is Tjl (x) = °°. We also 
define a metric on IL by d%, (a , j8 ) = sup reM | a (x) — j8 (x) | . 

Let F:SpecxSpecxIL — >■ IL be a function with the following properties: 

• F is continuous in the first two coordinates: F(-,k,a) and F(k,-,a) are continuous functions 
Imp — > L for all A; G Spec, a € L. 

• F is monotone in the third coordinate: F(k,£, •) is a monotone function IL — > L for all G Spec. 

• F(-, -,-Ljj) extends dj- for all k,£ G 5^c, F(^,^,_L]l) = dr(k,£). 

• F acts as a Hausdorff metric [21 ] when specification labels are viewed as sets of implementation 
labels: for all k,£ G Spec and a G L, F(k,£,a) = sup me p.j inf„ £ pj F(m,n, a). 

• Sets of implementation labels are closed with respect to F: for all k,£ G Spec and a G IL with 

F(k,£,a) ^ Tjl, there are m G [ik],nG M with F(m,£, a) = F(k,n, a) =F(k,£,a). 

• F satisfies an extended triangle inequality: for all k,£,m G Spec and a,/3 G IL, F(k,£, oc) ©x 
F(£,m,P) □ ]L F(*,/n,a0]Lj3). 

As the last ingredients, let % : Spec" x Spec°° — > IL and g : IL — > R>o U {°°} be functions such that 
g is monotone with g(J-i,) = 0, g(a) / «fora / T^, and gohj = dj, and such that /j^ has a recursive 
characterization, using F, as follows: 



h T (o,T) = < 



F(a , T , h T (o\i 1 )) ifa,T^e, 

Ti, if a = £,t 7^ e or a 7^ e,T = e, (1) 

_L]L ifa = T = e. 



Here £ G Spec 00 denotes the empty sequence, and for any a G Spec 00 , Ob denotes its first element and a 1 
the tail of a with the first element removed. 

For technical reasons, we will work mostly with the auxiliary function hj : Spec" x Spec°° — > IL 
below instead of the distance dj ; indeed, the framework in [4] has been developed completely without 
reference to the distance dj which, from a point of view of applications, should be the actual function 
of interest. This is due to the fact that the recursive characterization in dTJ needs to "live" in IL to be 
applicable to non-trivial distances, cf. ifTTI . 

We assume all SMTS to be compactly branching [9], that is, for any SMTS 5 and any s G S, the sets 

{k G Spec I s — » s'} and {k G Spec | s — s 1 } are to be compact under the hemimetric dj- A SMTS S 

is said to be deterministic if it holds for all s G S, s —*$ s\, s — s 2 for which there is k G Spec with 
hr{k,k\) 7^ Tjl and hj(k,k2) 7^ that k\ = ko_ and 51 = $2- 

2.3 Operations 

Any specification theory comes equipped with certain operations which allow high-level reasoning J2l : 
refinement, structural composition and quotient, and conjunction. For our quantitative framework, we 
add an operation of widening which allows to systematically relax specifications. 
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The modal refinement distance d m : SxT R>o U {°°} between the states of SMTS S, T is defined 
using an auxiliary function h m : S x T — > L, which in turn is defined to be the least fixed point to the 
equations 

sup inf F(k,£,h m (s',t')), 



h m (s,t) = max < 



k . I 
— +SS 1 t—* T t' 



sup inf F(k,£,h m (s' ',*')). 



t , k 



We let d m = goh m , using the function g : L — > R>o U {°°} from above. Also, d m (S, T) = d m (so,to), and 
we write S <" T if d m (S,T) a. This definition is an extension of the one of simulation distance 
in lfl3ll . and the proof of existence of the least fixed point is similar to the one in ll20ll . Note also that d m 
extends the refinement relation < m in the sense that s < m t implies d m (s,t) = 0. 
The thorough refinement distance from an SMTS 5 to an SMTS T is 

d t (S, T) = sup inf d m (I,J), 

and we write S <f T if d t (S,T) Qj, a. Again, S < t T implies d t (S,T) = 0. It can be shown [4] that 
both d m and d t obey triangle inequalities in the sense that d m (S,T) + d m (T,U) > d m (5, U ) and d t (S,T) + 
d t (T,U) > d t (S,U) for all SMTS 5, T, U. Also, d t (S,T) < d m (S,T) for all SMTS S, T, and d t (S,T) = 
d m (S, T) if T is deterministic H. 

To introduce structural composition and quotient of SMTS, one needs corresponding operators on 
labels. Let thus ® : Spec x Spec <-)■ Spec and Q : Spec x Spec — > Spec be partial label operators which 
satisfy the following conditions: 

• For all k,£,k',£' € Spec, if hr(k,£) ^ T%, and hj(k' ,£') ^ T^, then k(J)k' is defined if and only if 
£(D£'is defined; 

• for all k,£,m € Spec, £®k is defined and m C Spec £§>k if and only if k(Dm is defined and k(J) 
m Cspec £; 

• for all £,£' € Spec, the following conditions are equivalent: 

- there exists k € Spec for which both hj(k,£) ^ T%, and dj{k,£') ^ T%,; 

- there exists m E Spec for which both £ ® m and ® m are defined; 

- there exists m G Spec for which both m<s£ and m are defined. 

The structural composition of SMTS 5, T is then the SMTS S\\T = (S xT, (so,to), — *s\\Ti — y s\\r) 
with transitions defined as follows: 

s--+ s s' t--* T t' k(D£ defined s ^ s s' t t' k(J)£ defined 

(s,t) —» S || r (j',?') — (s',f) 

It can be shown that for all SMTS S, S', T, T', S < m T and S' < m T imply S\\S' < m T\\T'. 
For a quantitative generalization of this, we need a function P : TL X IL — > TL which permits to infer 
bounds on distances on synchronized labels. We assume that P is monotone in both coordinates, has 
= ± JL , P(a,T Jj )=P(T 1L ,a) = T L for all «£l, and that 

F{k(Dk',£(D£',P(a,a')) P{F(k,£,a),F(k' ,£' ,«')) 

for all k,£,k',£' G Spec and a, a' G IL for which k(J)k f and £(D£ / are defined. Then T 5 can be used to 
bound distances between structural compositions: for SMTS S, T, S', T 1 , we have h m (S\\S', T\\T') Cjl 
P{h m (S J), h m {S',T')) [4, Thm. 2\. 
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For the definition of quotient, we first need to introduce pruning. For a SMTS S and a subset B C S 
of states, the pruning ps(S) is given as follows: Define a raw^-predecessor operator pre : 2 s — > 2 s by 

pre(S') = {s G S \ 3k G Spec, / e^ijAj'} and let pre* be the reflexive, transitive closure of pre. 
Then Pb(5) exists if so ^ pre*(B), and in that case, Pb(S) = (Sp^o, ~~*p> — ^p) with S p = S\pre*(B), 
—*p = — •» fl (S p x Spec x S p ), and — > p = — >r\(S p x Spec x S p ). 

The quotient of an SMTS T by an SMTS S is the SMTS T \S = p B (T x SU {u}, (t ,s ), — > T y , — > r \\ s ) 
given as follows (if it exists): 

t—*rt' s- k -*sd £§>k defined t-^ T t' s-^ s s' £<Sk defined 



f — >t t Vs — >s s : £<S>k undefined 



(t,s)eB 

m G Spec Vs — +5 s' : k ® m undefined m £ Spec 



{t,s)—+ T \ s u u—+Ti s u 

Note the extra universal state u which is introduced here. The standard property of quotient is as fol- 
lows [5]: For SMTS S, T, X, for which S is deterministic and T\S exists, X < m T \ S if and only if 
S\\X < m T. Note that this property implies uniqueness (up to = m ) of quotient [12]; hence if quotient 
exists, it must be defined as above. 

For quantitative properties of quotient, we must again look to properties of the label operator S 
which can ensure them. We say that ® is quantitatively well-behaved if it holds for all k,£,m G Spec 
that £<Sk is defined and hj(m,£^k) 7^ Tjl if and only if k(Dm is defined and dr(k(Dm,£) 7^ Tjl, and 
in that case, F(m,£<S>k,CC) F(kQ)m,£,a) for all a G L. For such a quantitatively well-behaved Q 
it can be shown JH Thm. 3] that for all SMTS S, T, X such that S is deterministic and T\S exists, 
h m (X,T\S)UiLh m {S\\X,T). 

For conjunction of SMTS, we need a partial label operator © : Spec x Spec — > Spec for which it 
holds that 

• for all k, £ G Spec, if k © £ is defined, then k © £ Es P ec k and © £ Es P ec ^ 

• for all k,£,m G Spec for which m Es pec & and m Espec £,k@£is defined and m Espec k©£, and 

• for all £,£' G Spec, there exists k G Spec for which hr(k,£) 7^ T L and hr(k,£') 7^ Tjl if and only 
if there exists m G Spec for which £ © m and © m are defined. 

The conjunction of two SMTS 5, T is the SMTS SAT = ps(S x T, (so,to),--^sAT, — >sat) given as 
follows: 

sA^j' t --+t t' k ©£ defined s--^ s s' t ——^t t 1 k @£ defined 



{s,t) — > SAT {s',n (s,t) — > SAT {s',t') 

k I 

s--^ s s' t--* T t' k@£ defined 

(S,t) (S',t') 

s-^ s s' Vf —* T t' : A:© £ undefined t -^ T t' Vs --+ s s' : k<® £ undefined 
(s,f)eB (s,t)£B 
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With this definition, it can be shown [5] that conjunction acts as greatest lower bound: Given SMTS 
S, T for which S A T is defined, we have S A T < m S and S AT < m T, and if S or T is deterministic and U 
is a SMTS for which U < m S and U < m T, then S A T is defined and t/ < m S AT. We again note that this 
property implies uniqueness, up to = m , of conjunction: if conjunction exists, it must be given as above. 

To generalize this to a quantitative greatest lower bound property, we shall have reason to consider 
two different properties of the label operator ©. The first is analogous to the one for structural composi- 
tion above: we say that © is bounded by a function C:ILxIL— >-ILifCis monotone in both coordinates, 
has C(_L] L ,-Le j ) = -L]L, C(a,T%,) = C(~Y^a) = Tj, for all a € L, and if it holds for all k,l,m <E Spec 
for which dr{m,k) 7^ °° and dj (m, £) 7^ °° that k © £ is defined and 

F(m,k®e,C(a,a')) □ 1L C(F(m,&,a),F(m,£,a')) 

for all a, a' £1L. For such a bounded © it can be shown H that if S, T, U are SMTS of which S or T 
is deterministic, and if h m (U,S) / T L and h m (U,T) / Tjl, then SAT is defined and h m (U,S AT) Cjl 
C(h m (U,S),h m {U,T)). 

For the second, relaxed boundedness property of ©, we have to first introduce a notion of quantitative 
widening. For a € IL and SMTS S, T, we say that T is an a-widening of 5 if there is a relation RCSxT 

for which (jq^q) € /? and such that for all (s,t) £ R, s s ' if an d only if t — *j t', and s -^s if 
and only if t — >j * , for & Espec 4 d(£,k) C.^ a, and (j £ ^- Thus up to unweighted two-sided 
refinement, T is the same as S, but transition labels in T can be a "wider" than in S. (Hence also S < m T, 
but nothing general can be said about quantitative refinement from T to S, cf. H.) 

We say that the operator © is relaxed bounded by a function family C = {Ca «, :LxL— >L|j8,7€L} 
if all C^ i7 are monotone in both coordinates, have C^^lijli) = -Ljl, C^ ^a, T]l) = C^^Tl, a) = 
T]l for all a € IL, and if it holds for all k,£ € Spec for which there is m £ Spec with hj(m,k) 7^ 
and hj{m,£) ^ T%, that there exist € Spec with & Espec ^ Espec hj{k\k) = j6 7^ Tjl, and 
hr{£',£) = 7 7^ Tl, such that k' @ £' is defined, and then for all m G Spec with hj(m,k) 7^ Tj, and 
d T (m,£) / Tjl, 

F(m,k' ©£',Cp tr (a,a')) ^Cp iy (F(m,k,a),F(m,£,a')) 

for all a, a' € IL. The following property can then be shown H Thm. 5]: Let 5, T be SMTS with S or 
T deterministic. If there is an SMTS U for which h m (U,S) 7^ Tjl and h m (U,T) 7^ Tjl, then there exist 
j3- and y-widenings 5' of S and T' of J for which 5' A T' is defined, and such that h m (U,S' A T') Cjl 
C p ^(h m {U,S),h m (U,T)) for all SMTS C/ for which h m (U,S) 7^ and h m (U,T) ^ Tj,. 

3 Robust Semantics of Modal Event- Clock Specifications 

As an application of the framework laid out in this paper, we consider the modal event-clock speci- 
fications (MECS) of f7] and give them a robust semantics as SMTS. We choose MECS instead of a 
more expressive real-time formalism such as e.g. timed automata CD mainly for ease of exposition; it is 
certainly possible to extend the work presented here also to these formalisms. 

We assume a fixed finite alphabet £ and let 8 ^ £ denote a special symbol which signifies passage of 
time. Let denote the set of closed clock constraints over £, given by 

<J>(I) 9 ::= a < k \ a > k [ 0! A 2 (a G L,k € N, fa , <j> 2 € 0(E)) . 
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A (real) clock valuation is a mapping u : E — > R>o; we say that m |= 0, for € ^(E), if "(a) satisfies <p 
for all a£l, and we let [0] = {«:£—)• R>o | m |= 0}. For d € R>o and b G E we define the valuations 
u-\- d = Xa.{u{d) + rf) and it [6] = Aa.(if a = ft then else w(a)). Note that for brevity we use lambda 
notation for anonymous functions here. 

We denote by I = {[x,y] \ x G IR>o,.y G R>o U < y} the set of closed extended non-negative real 

intervals, and define addition of intervals by [l,r] + [I' ,r'] = [l + l',r+r r \. An interval clock valuation is 
a mapping v : E — > I associating with each symbol a a non-negative interval v(a) = [l a ,r a ] G I of possible 
clock values. We say that v \= (j), for (j) G 3>(E), if there exists u : E — > K,> for which u(a) G v(a) for 
all a G E and u\= <j>. For c? G I and ft G E we define v + d = Xa.(v(a) + and u[b] = Aa.(if a = 

ft then [0,0] else u{a)). 

A modal event-clock specification (MECS) [7] is a tuple A = (Q,qo, — +a, — >a) consisting of a finite 
set Q of locations, with initial location go G Q, and may and must edges — +a, — >a Q Q x E x 0(E) x Q 
which satisfy that for all (q,a,g,q ! ) G — >a there exists (q,a,g ! ,q') G --- »a with [g]] C [#']. As before 

we write g ---»a <?' instead of (q,a,g,q') G --■ >a> similarly for — >a- Figure [T] shows some examples of 
MECS. 

To facilitate robust analysis of MECS, we give their semantics not as usual timed transition sys- 
tems [ Q (or as modal region automata as in Q), but as interval timed modal transition systems (ITMTS). 
These are SMTS over 

Spec = (E x {[0,0]}) U ({8} x I) C (EU {8}) x I, 

with (a, [l,r]) Es pec (a', [/',/]) if and only if a = a' , I > I', and r < r' (hence [l,r] C [/',/]), and thus with 
Imp = E x {0} U {8} x R>o- Hence an implementation is a usual timed transition system, with discrete 

o,0 , ... . . 8,d , 

transitions s — > s and delay transitions s — > s . 

The semantics of a MECS A = (Q,qo,—*A, — >a) is the ITMTS (\A\) = (S, sq, — - »s, — >$) given as 
follows: 

{(q,v) | q G Q,v : E -> 1} * = (?0,^x.0) 

{(?,v) -^>s (<?',v') | <? ^a9> \=g,V = v[a]}U{(q,v) S -^4 S (q,v) \ v = v+ [l,r]} 
{(q,v) --+s(q',v) \q --+ A q',v\=g,v' = v[a}}li{(q,v) s (q,v') \ v' =v+[l,r}} 

Note that the "real", precise semantics of A as a timed transition system [ TJ is an implementation of 
<\A\), also any of the "relaxed" or "robust" semantics of 0[l7l[24l[23 ^ implementations of flA|); any 
robust semantics "lives" in our framework. As we are using closed clock constraints for MECS, (\A\) as 
defined above is compactly branching. 

Refinement of MECS is defined semantically: A < m B if <\A\j < m <\B\j. Note that the refinement of Q 
is different (indeed it is not quantitative in our sense). By definition of modal refinement, a specification 

S < m (KD is a more precise, or less relaxed, specification of the semantics of A: any delay intervals on 

8,\l,r\ , «,[/'/] 
transitions s --- are contained in intervals f — * ^ t (and similarly for must transitions). 

We are interested in timing differences of (refinements of) MECS, i.e. in expressing how much two 

ITMTS can differ in the timings of their behaviors. Given two finite traces a = (oq,xo),- ■ ■ , (a n ,x n ) and 

a' = (ao,*o)j . . . , (a n ,x' n ) (note that the discrete labels in EU {8} are the same), their timing difference is 

| (xq +x\ H \-x n ) — (jCq+Vj H an d what interests us is the maximal timing difference at any 

point of the runs. Hence we want the distance between o and o' to be max m= o n | ^%LqXi — 2=o-^/l> 
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S Si s 2 



Figure 1: An MECS model S of a resource specification, cf. 0, and two refinement candidates Si, S2. 
As customary, we omit may-transitions which have an underlying mMsf-transition with the same label. 
Note that Si < m S and S2 ^ m S, but d m (S2,S) = 1. 



F((a,t), {a',t'), a) 



with the max^o,...^ replaced by sup meN for infinite traces. This is precisely the maximum-lead distance 
of 11181,12611 , and we show below how it fits in the framework of this paper. 

Note that the accumulating distance of [3 ] measures something entirely different: for the finite traces 

above, it is \xq — x' \ + A|*i — x! x \ H \-X"\x n —x' n \, hence measuring the sum of the differences in the 

individual timings of transitions rather than the overall timing difference. Thus the work laid out in 
is not applicable to our setting, showing the strength of the more general approach of [4J. 

Let IL = (IR>o U I 00 }) 11 , the set of mappings from leads to distances, define F : Imp x Imp x IL — > IL 

by 

[hd.meix(\d + t —t'\,a[d+t — t')) if a = a' 

and extend F to specifications by F(k,£, a) = sup me pj inf„ e pj F(m,n, a). Define g : IL — > R>o U {°°} by 
g(cc) = a(0); the maximum-lead distance assuming the lead is zero. Using our characterization of hj 
from (Q}, it can then be shown that dj = gohj : Spec 00 x Spec" — > R>oU {00} is precisely the maximum- 
lead distance, cf. 11311181 . We also instantiate our definitions of modal and thorough refinement distance 
for ITMTS; for MECS A, B we let d m {A,B) = d m ((\A\), <\B\>), d t (A,B) = d t (<\A\) ,<\B\>). 

Determinism for ITMTS is the same as in |3|: ifk\,Ic2 £ Spec, with k\ = (a\ , [Zi,n])» &2 = (^2, [^2 , ^2] ) 5 
then there is k € Spec with hj {k,k\ ) ^ Tj, and hj (k, /C2) 7^ T%, if and only if a\ = ai- Hence an ITMTS S 

ifl,[h,n\) Mh,r 2 ]) 

is deterministic if and only if it holds for all s G S that s — * s$i an ds — s s 2 imply [/i,n] = ^2,^2] 

and si = S2- For an MECS A, (|AD is hence deterministic if and only if for all locations q, q — > q\ and 

q — > q2 imply that [gi] = [[^2] and q\ = q2- This is a stronger notion of determinism than in Q; we 
will call it strong determinism for differentiation. 

For structural composition of ITMTS we use CSP-style synchronization on discrete labels and inter- 
section of intervals. Note that this is different from (3j which instead uses addition of intervals. Given 
(a, [Z,r]), (a' , [I' ,r']) € Spec we hence define 



(a, [l,r]) CD (J, [I' A) 



{a, [max(/,/'),min(r, r')]) if a = a' and max(/,Z') <min(r,r') 
undefined otherwise . 



It can be shown that ® is bounded by P(a, a') = max(a, a'). Also, the notion of structural compo- 
sition of ITMTS we obtain is consistent with the one of synchronized product of [7] (denoted 8) in that 
paper). Figure [2] depicts some examples of structural compositions. 
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S\\T S 2 \\T 

Figure 2: A MECS model T of a process accessing the resource S from Fig. [T] together with the structural 
compositions S\\T, Si \\T, and S2WT. Note that d m (S2\\T,S\\T) = 1. 

Theorem 1. Let A, B, A', B' be MECS. With \\ the notion of synchronized product of MECS from /[7|/, 
0A||5|) = m dAD||dfi|). Additionally d m (A\\A' ,B\\B') <max(d m (A,B),d m (A' ,B')). 

Proof. (]A||BD = m <\A\) || <\B\) is clear from the definitions. For the second part, we have /i m (A||A',fi||fi') [Z^ 
P(h m (A,B),h m (A',B')) =max(h m (A,B),h m (A',B')) by [4, Thm. 2], and as g : IL — s> R> U{oo} is a ho- 
momorphism, the claim follows. □ 

For quotient of ITMTS we define, for labels (a, [l,r]), {a! , [V \r']) € Spec, 



(a',[/'/])®(a,M) = 



undefined 


if a/ 


a' 




MM) 


if c? = 


a' 


and / < /' < r < r' 


WA) 


if a = 


a' 


and I <l' <r' <r 


< undefined 


if a = 


a' 


and I < r < V < r' 


(a, [0,H) 


if a = 


a' 


and /' <l<r<r' 


(a,[0,r']) 


if a = 


a' 


and /' <l<r<r' 


undefined 


if a = 


a' 


and /' < r 1 < I < r 



The intuition is that to obtain the maximal solution [p,q] to an equation [l,r] CD Qspec [^) r '] ; whether 
/? and q must restrain the interval in the intersection, or can be and 00, respectively, depends on the 
position of [l,r] relative to [l',r'], cf. Figure [3] It can be shown that the operator ® is quantitatively 
well-behaved. 

We can lift our quotient from the semantic ITMTS level to MECS as follows: A clock constraint in 
<!>(£) is equivalent to a mapping £ — > J, where J = {[x,;y] | x € N,y € NU{t»},i < y} C I denotes the 
set of closed extended non-negative integer intervals, and then we can define <p' ® = Xa.{ty'{a) 00(a)) 
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I I' r i> I V r' r I r V r 1 




Figure 3: Quotient [I' ,r'] [l,r] of intervals, six cases. Top bar: [l,r]; middle bar: [I' ,r']; bottom bar: 
quotient. Note that for the two cases on the right, quotient is undefined. 

with Q defined on intervals as above. Our quotient of MECS is then defined as in [7 ], but with their 
guard operation replaced by our ® (hence our quotient is different from theirs, which is to be expected 
as the notions of refinement are different). 

Theorem 2. Let A, B, X be MECS for which B\A exists, then <\B \A) = flfi|) \ flA|). If A is strongly 
deterministic, then d m (X,B\A) < d m (A\\X ,B), and X < m B\A if and only ifA\\X < m B. 

Proof. (\B\A\) = <\B\) \ <\A\) is clear from the definitions. For the second part, X < m B\A if and only 
if A\\X < m B by S Thm. 3], and by the same theorem, h m (X,B\A) C h m (A\\X,B), so as g : L ->• 
El>0 U the claim follows. □ 

The conjunction operator on labels of ITMTS is defined using intersection of intervals like for struc- 
tural composition, hence we let k © t = k (D £ for k, I G S pec. The intuition is that transition intervals give 
constraints on timings; hence a synchronized transition has to satisfy both interval constraints. It can be 
shown that © is not bounded, but relaxed bounded by Cp 7 (a, a') = max(a, a') max(j8, y). 

Our notion of conjunction is consistent with the one for MECS in [7], and to make use of relaxed 
boundedness, we need to lift the notion of quantitative widening from the semantic ITMTS level to 
MECS. This is done by defining, for a clock constraint <p : £ — > JJ and n G N, the ^-extended constraint 
<p +n = Xa.(f)(a) + [— n,n] (this is similar to a construction in [8 ]), and then saying that a MECS B is an n- 
widening of an MECS A if there is a relation R C Q A x Q B for which (qfj , Oq ) e R, and for all (q A , qs) G R, 

q A --+A 4a ^ an d OIU y ^ Qb 1b with (qB^'s) £ R an d similarly for must transitions. 

Theorem 3. Let A, B be MECS. With A the notion of greatest lower bound from (\A AB\) = (\A\) A <\B\j. 
If A or B is strongly deterministic and there is a MECS C for which d m (C,A) ^ oo and d m (C,B) ^ oo 
then there are an n-widening A' of A and an m-widening B' of B for which A' AB 1 is defined, and such 
that d m (C,A' AB') < max(d m (C,A),d m (C,B)) +ma.x(n,m) for all MECS C for which d m (C,A) / oo and 
d m (C,B) ^oo. 

Proof. (|A AB\) = <\A\) A (\B\) by definition, and the second claim follows from [4, Thm. 5] and the homo- 
morphism property of g : L — > R>o U {°°}. □ 
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